org.springframework.security.authentication

Class ProviderManager

java.lang.Object

org.springframework.security.authentication.ProviderManager

All Implemented Interfaces:

Aware, InitializingBean, MessageSourceAware, AuthenticationManager

public class ProviderManager
extends Object
implements AuthenticationManager, MessageSourceAware, InitializingBean

Iterates an Authentication request through a list of AuthenticationProviders.

AuthenticationProviders are usually tried in order until one provides a non-null response. A non-null response indicates the provider had authority to decide on the authentication request and no further providers are tried. If a subsequent provider successfully authenticates the request, the earlier authentication exception is disregarded and the successful authentication will be used. If no subsequent provider provides a non-null response, or a new AuthenticationException, the last AuthenticationException received will be used. If no provider returns a non-null response, or indicates it can even process an Authentication, the ProviderManager will throw a ProviderNotFoundException. A parent AuthenticationManager can also be set, and this will also be tried if none of the configured providers can perform the authentication. This is intended to support namespace configuration options though and is not a feature that should normally be required.

The exception to this process is when a provider throws an AccountStatusException, in which case no further providers in the list will be queried. Post-authentication, the credentials will be cleared from the returned Authentication object, if it implements the CredentialsContainer interface. This behaviour can be controlled by modifying the eraseCredentialsAfterAuthentication property.

Event Publishing

Authentication event publishing is delegated to the configured AuthenticationEventPublisher which defaults to a null implementation which doesn't publish events, so if you are configuring the bean yourself you must inject a publisher bean if you want to receive events. The standard implementation is DefaultAuthenticationEventPublisher which maps common exceptions to events (in the case of authentication failure) and publishes an AuthenticationSuccessEvent if authentication succeeds. If you are using the namespace then an instance of this bean will be used automatically by the <http> configuration, so you will receive events from the web part of your application automatically.

Note that the implementation also publishes authentication failure events when it obtains an authentication result (or an exception) from the "parent" AuthenticationManager if one has been set. So in this situation, the parent should not generally be configured to publish events or there will be duplicates.

See Also:

DefaultAuthenticationEventPublisher

Field Summary

Fields

Modifier and Type	Field and Description
protected MessageSourceAccessor	messages

Constructor Summary

Constructors

Constructor and Description
ProviderManager() Deprecated. Use constructor which takes provider list
ProviderManager(List<AuthenticationProvider> providers)
ProviderManager(List<AuthenticationProvider> providers, AuthenticationManager parent)

Method Summary

Methods

Modifier and Type	Method and Description
void	afterPropertiesSet()
Authentication	authenticate(Authentication authentication) Attempts to authenticate the passed Authentication object.
List<AuthenticationProvider>	getProviders()
boolean	isEraseCredentialsAfterAuthentication()
void	setAuthenticationEventPublisher(AuthenticationEventPublisher eventPublisher)
void	setClearExtraInformation(boolean clearExtraInformation) Deprecated. the extraInformation property is deprecated
void	setEraseCredentialsAfterAuthentication(boolean eraseSecretData) If set to, a resulting Authentication which implements the CredentialsContainer interface will have its eraseCredentials method called before it is returned from the authenticate() method.
void	setMessageSource(MessageSource messageSource)
void	setParent(AuthenticationManager parent) Deprecated. Use constructor injection
void	setProviders(List providers) Deprecated. Use constructor injection

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

messages

protected MessageSourceAccessor messages

Constructor Detail

ProviderManager

@Deprecated
public ProviderManager()

Deprecated. Use constructor which takes provider list

ProviderManager

public ProviderManager(List<AuthenticationProvider> providers)

ProviderManager

public ProviderManager(List<AuthenticationProvider> providers,
               AuthenticationManager parent)

Method Detail

afterPropertiesSet

public void afterPropertiesSet()
                        throws Exception

Specified by:

afterPropertiesSet in interface InitializingBean

Throws:

Exception

authenticate

public Authentication authenticate(Authentication authentication)
                            throws AuthenticationException

Attempts to authenticate the passed Authentication object.

The list of AuthenticationProviders will be successively tried until an AuthenticationProvider indicates it is capable of authenticating the type of Authentication object passed. Authentication will then be attempted with that AuthenticationProvider.

If more than one AuthenticationProvider supports the passed Authentication object, only the first AuthenticationProvider tried will determine the result. No subsequent AuthenticationProviders will be tried.

Specified by:

authenticate in interface AuthenticationManager

Parameters:

authentication - the authentication request object.

Returns:

a fully authenticated object including credentials.

Throws:

AuthenticationException - if authentication fails.

getProviders

public List<AuthenticationProvider> getProviders()

setMessageSource

public void setMessageSource(MessageSource messageSource)

Specified by:

setMessageSource in interface MessageSourceAware

setParent

@Deprecated
public void setParent(AuthenticationManager parent)

Deprecated. Use constructor injection

setAuthenticationEventPublisher

public void setAuthenticationEventPublisher(AuthenticationEventPublisher eventPublisher)

setEraseCredentialsAfterAuthentication

public void setEraseCredentialsAfterAuthentication(boolean eraseSecretData)

If set to, a resulting Authentication which implements the CredentialsContainer interface will have its eraseCredentials method called before it is returned from the authenticate() method.

Parameters:

eraseSecretData - set to false to retain the credentials data in memory. Defaults to true.

isEraseCredentialsAfterAuthentication

public boolean isEraseCredentialsAfterAuthentication()

setProviders

@Deprecated
public void setProviders(List providers)

Deprecated. Use constructor injection

Sets the AuthenticationProvider objects to be used for authentication.

Parameters:

providers - the list of authentication providers which will be used to process authentication requests.

Throws:

IllegalArgumentException - if the list is empty or null, or any of the elements in the list is not an AuthenticationProvider instance.

setClearExtraInformation

@Deprecated
public void setClearExtraInformation(boolean clearExtraInformation)

Deprecated. the extraInformation property is deprecated

If set to true, the extraInformation set on an AuthenticationException will be cleared before rethrowing it. This is useful for use with remoting protocols where the information shouldn't be serialized to the client. Defaults to 'false'.

See Also:

AuthenticationException.getExtraInformation()